AttackerKBAKB:A4C40AA9-050B-4FF2-A029-BE3ADC6857CACVE-2019-15043
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
Recent assessments:
h0ffayyy at September 26, 2020 6:21pm UTC reported:
The Dashboard Snapshot API allows an unauthenticated user to create dashboard snapshots. An attacker could generate enough snapshots to eventually fill up the disk on the Grafana server, causing the denial of service.
My proof of concept can be found here: <https://github.com/h0ffayyy/CVE-2019-15043>
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 5
References
lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html
lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569
community.grafana.com/t/release-notes-v6-3-x/19202
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15043
github.com/grafana/grafana/releases
grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix
grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
lists.fedoraproject.org/archives/list/[email protected]/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU
lists.fedoraproject.org/archives/list/[email protected]/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/
lists.fedoraproject.org/archives/list/[email protected]/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH
lists.fedoraproject.org/archives/list/[email protected]/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/
security.netapp.com/advisory/ntap-20191004-0004
security.netapp.com/advisory/ntap-20191004-0004/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P